Let’s start with analyzing it with a PE analyzer like PEiD, RDG Packer Detector, etc.

It is a .NET executable. Thus, we can decompile it using our favourite .NET decompiler.

After decompiling it I found this function in Form1.

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

privatevoidcheckflag(intkey)

{

StringBuilder stringBuilder=newStringBuilder();

stringstr="xiomara{";

stringtext="þæþÖîûìèýÖðæüÖíàíÖàýÖ³\u00a0";

stringstr2="}";

stringtext2="DB2C17E69713C8604A91AA7A51CBA041";

for(inti=0;i<text.Length;i++)

{

stringBuilder.Append((char)((int)text[i]^key));

}

stringtext3=stringBuilder.ToString();

stringtext4=Form1.CreateMD5(text3);

boolflag=text4.Equals(text2);

if(flag)

{

this.label3.Text=str+text3+str2;

this.label3.Visible=true;

}

boolflag2=text4!=text2;

if(flag2)

{

this.label3.Text="Sorry You are Not So Lucky :( OH!";

this.label3.Visible=true;

}

}

It xors the bytes of variable text with the parameter key which is an integer generated randomly every time you click on the Generate button. Then, it calls checkFlag with the generated key. After the xor operation, it creates md5 string of the result and compares it to text2 which is probably the flag’s md5 string.

Now, all we need to do is brute force the key. I created a python3 script this time since text is unicode.

solve.py

Python

1

2

3

4

5

6

7

8

9

10

11

12

#!/usr/bin/env python3

fromhashlibimportmd5

arr="þæþÖîûìèýÖðæüÖíàíÖàýÖ³\u00a0"

md5hash="db2c17e69713c8604a91aa7a51cba041"

forkey inrange(256):

flag=''

forbinarr:

flag+=chr(key^ord(b))

ifmd5hash==md5(flag.encode('utf-8')).hexdigest():

print("xiomara{"+flag+"}")

Let’s execute the script.

1

2

$python3 solve.py

xiomara{wow_great_you_did_it_:)}

Here is our flag xiomara{wow_great_you_did_it_:)}.

Umut Barış Öztunç

Security researcher who participates in Capture The Flag events, also the founder of BreakPoint CTF team.